DSA key login and command execution via SSH on RouterOS

Since RouterOS 2.9.13 the support for SSH DSA keys and command execution via ssh connection is available.

This allows admins to run commands and scripts from a remote machine on a RouterOS equipped one without inserting interactively a password to authenticate (Public/Private Key Authentication).

To use this facility, only three configuration steps are necessary.

 

First step is to create a key using ssh-keygen.

ssh-keygen -t dsa

To Login in the remote machine without being prompted for key PassPhrase, it is possible to:
1. Leave passphrase blank during creation.
2. Use OpenSSL Toolkit to remove PassPhrase.
3. Use a local SSH-Agent to manage Key Authentication & Forwarding (RECOMMENDED)

 

Second step is upload via FTP the id_dsa.pub Key (Public Key) into the RouterOS device.

ftp mk.lab.bravi.org
Connected to mk.lab.bravi.org.
220 mk.lab.bravi.org FTP server (MikroTik 4.17) ready
Name (mk.lab.bravi.org:admin): admin
331 Password required for admin
Password:
230 User admin logged in
Remote system type is UNIX.
ftp> put id_dsa.pub 
local: id_dsa.pub remote: id_dsa.pub
227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XX).
150 Opening ASCII mode data connection for '/id_dsa.pub'
100% |******| 613 8.23 MiB/s --:-- ETA226 ASCII transfer complete
613 bytes sent in 00:00 (76.83 KiB/s)
ftp> exit

 

Third and last step is import the key in RouterOS Terminal (also possible using Winbox Client).

/user ssh-keys import file=id_dsa.pub user=admin

The user field determines which user account will be authenticated when using the specific Key.

 

By authenticating with the Public/Private Key, the process of sending commands to devices will be drastically simplified, for example in my old RB500 used in LAB:

ssh admin@mk.lab.bravi.org "/system resource print"

The immediate reply will be:

                   uptime: 5d17h7m59s
                  version: "4.17"
              free-memory: 47960kB
             total-memory: 62440kB
                      cpu: "MIPS 4Kc V0.10"
                cpu-count: 1
            cpu-frequency: 399MHz
                 cpu-load: 4
           free-hdd-space: 85420kB
          total-hdd-space: 126976kB
  write-sect-since-reboot: 1263
         write-sect-total: 31632
               bad-blocks: 0.1%
        architecture-name: "mipsle"
               board-name: "RB532A"
                 platform: "MikroTik"

Comments are closed.